Embodiments of the inventive concept described herein relate to a user authentication method with enhanced security, and more particularly, relate to a user authentication method, in which it is unnecessary to manage a password of a user in view of a certificate authority, for easily replacing the password in view of the user, determining whether an authentication site is true, and enhancing security through multi-authentication.
It has become common for financial transactions or a variety of business necessary for user authentication to be conducted through online environments in modern society rather than face-to-face contact. User authentication online needs a more cautious approach rather than face-to-face contact. In most cases, it is requested to install various security programs including an ActiveX program and a keyboard security program or control programs in a user terminal. It is prepared for an outflow of information by enhancing security through security devices such as certificates, security cards, and one time password (OTP) devices.
An OTP device which is one of representative user authentication methods and has an embedded unique key is provided to a user in advance. If the user accesses an electronic banking network and requests an authentication server (a server of a financial institution) to perform authentication, the OTP device generates an OTP number based on a random number associated with a current time by using the unique as an operation key. The user manually enters the generated OTP number as a password and sends the OTP number to the authentication server. The authentication server authenticates that the user is a true user using the OTP number.
However, if the user transacts with a plurality of financial institutions, since he or she has an OTP device provided for each financial institution, he or she should separately purchase an OTP device for each financial institution and should have a plurality of OTP devices. The user should find an authentication device for specific financial institution one by one among the plurality of OTP devices.
Further, since the user may optionally replace a unique key of an OTP device, if he or she loses the OTP device, he or she should directly visit a financial institution and should be issued a new OTP device. It takes enormous expense and time for financial institutions to issue OTP devices again to all clients if unique keys of OTP devices of the clients flow out.
Meanwhile, if the user is authenticated or logs in to a related server through a specified password, the related server should register, store, and manage the password of the user and the user should recognize the password. Since the related server requests the user to change the password on a regular basis to prepare for an outflow, it is inconvenient to manage the password.
In addition, with the development of hacking technologies, an outflow of information, such as screen capturing, a shoulder surfing attack, screen hacking technologies such as screen monitoring, or an outflow of certificates or passwords due to spywares installed in personal computers (PCs), is performed in various manners. Since a professional hacker may decrypt an encrypted password by some degrees of efforts, it is necessary to seek convenience and enhance security in a procedure for user authentication.